Federated Security - PingFederate IdP
Issue
Whilst configuring SP-initiated authentication for PingFederate Idp with TotalAgility, the customer is having trouble when configuring the base URL only in PingFederate.
At run-time, PingFederate complains it doesn’t like the callback URL when we try to authenticate passing the full URL to return to e.g. KTA Designer.
They got it working by configuring the full URL to the designer in the IdP (but this should only be required for IdP initiated federation).
Cause
On a KB article, PingFederate mention:
“When the AuthnRequest is signed, PingFed will blindly send the SAML Response to the AssertionConsumerServiceURL specified in the AuthnRequest, without any validation. Hence, if there a need to specify dynamic ACS URLs, its important for the SP to digitally sign the AuthnRequest.”
Solution
An ER was added in TotalAgility (KTA) v7.6 to avoid needing to hard-code the callback URLs in providers such as PingFederate,
We can now sign the SAML Request by configuring an optional certificate
This can be configured under the 'Signature Settings' tab in the Federated Security configuration in the KTA Designer
Level of Complexity
Moderate
Applies to
Product | Version | Build | Environment | Hardware |
---|---|---|---|---|
Kofax TotalAgility | v7.6 + |